Issues

ZF-5817: Can't use external email addresses as username with Zend_Auth_Adapter_Ldap

Issue Type:

Bug

Created:

2009-02-17T12:24:07.000+0000

Last Updated:

2009-07-20T11:39:12.000+0000

Status:

Resolved

Fix version(s):

1.9.0 (31/Jul/09)

Reporter:

Seth P (spurcell)

Assignee:

Stefan Gehrig (sgehrig)

Tags:

Zend_Auth_Adapter_Ldap

Related issues:

Attachments:

Description

We were looking into authenticating our webapp users based on their email addresses via LDAP, but if you pass an arbitrary email address to a Zend_Auth_Adapter_Ldap:

WITH an accountDomainName set (and inferred accountCanonicalForm = 4), it treats the email address as a domain-qualified username and the authentication attempt fails for any user whose email domain is not accountDomainName - since the LDAP server is understood to be an authority only for accountDomainName, you get a domain mismatch.

WITHOUT an accountDomainName set (and inferred accountCanonicalForm = 2), it canonicalizes the "@" and everything after it right off the domain, and you end up with only the local part of the user's email address being passed to the LDAP server, which of course doesn't match if you're querying by email address with the following (correct) filter: "(&(objectClass=inetOrgPerson)(mail=%s))", as opposed to the default.

If you try to force accountCanonicalForm = 4 to include the domain without specifying an accountDomainName, it throws an exception.

To verify the behavior we were seeing, we tried using cn instead of mail as the RDN by setting cn= the email address minus its "@", and set the filter to "(&(objectClass=inetOrgPerson)(cn=%s))". This authenticated successfully.

Comments

Posted by Michael B Allen (miallen) on 2009-02-17T13:16:50.000+0000

An email address is not a qualified account name. It is just an email address. What you want is basically ACCTNAME_FORM_EMAIL = 5 with corresponding logic to canonicalize the account name to the mail attribute. Which is to say Zend_Auth_Adapter_Ldap simply does not implement this.

Note that I think this would require querying the LDAP server which would slow things down a little.

I agree this should be implemented but I will not be active on this project for the foreseeable future.

You could extend Zend_Ldap to add the desired behavior (and then you would have to also extend Zend_Auth_Adapter_Ldap so that it used your extended Zend_Ldap).

Finally, this should really be assigned to Zend_Ldap and not Zend_Auth_Adapter_Ldap as Zend_Ldap is where the actual name canonicalization occurs.

Posted by Stefan Gehrig (sgehrig) on 2009-02-17T23:52:53.000+0000

The new extended Zend_Ldap component that currently is in the Standard Incubator takes care of this issue as it provides a '{{tryUsernameSplit}}' option that, when set to {{false}}, will skip the splitting operation you described in case (2) and will allow to pass the full email address to the LDAP server. (I admit that the option name is not quite perfect yet...)

Perhaps you can try the new component or extract the relevant code to extend Zend_Ldap yourself as Michael pointed out.

Posted by Stefan Gehrig (sgehrig) on 2009-07-20T11:39:11.000+0000

fixed in trunk for next minor-release 1.9. Behaviour is controlled by the option key tryUsernameSplit,